Antoine Beaupré wrote:
> There are, however, people *not* running Debian-built kernels, and
> sometimes for good reasons. This is a configuration that we should
> still support.

Is it supported, but it's also clearly documented that people need to
enable this sysctl for custom kernels:
https://www.debian.org/releases/jessie/amd64/release-notes/ch-whats-new.en.html#security
> Incidentally, I wonder if we should remove the patch we have on the
> Debian kernels to change the defaults, and instead rely on the
> sysctl. I have added the kernel team in CC to have their input.
Why revert the kernel? That doesn't buy us anything. It would be
better to ask upstream to revisit this decision (e.g. by contacting
KSPP mailing list). I suppose that SuSE, Ubuntu and Red Hat have
are shipping similar patches/defaults, so it's probably safe to say
that those protections are now the status quo (as opposed to five
years ago when that feature was freshly introduced).
Cheers,
Moritz